From owner-freebsd-security Sat Apr 21 1:53:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.morning.ru (ns.morning.ru [195.161.98.5]) by hub.freebsd.org (Postfix) with ESMTP id 9BBAF37B422 for ; Sat, 21 Apr 2001 01:53:21 -0700 (PDT) (envelope-from poige@morning.ru) Received: from NIC1 (early.morning.ru [195.161.98.238]) by ns.morning.ru (8.9.3/8.9.3) with ESMTP id QAA16889 for ; Sat, 21 Apr 2001 16:55:50 +0800 (KRAST) (envelope-from poige@morning.ru) Date: Sat, 21 Apr 2001 16:56:20 +0700 From: Igor Podlesny X-Mailer: The Bat! (v1.52 Beta/7) UNREG / CD5BF9353B3B7091 Reply-To: Igor Podlesny Organization: Morning Network X-Priority: 3 (Normal) Message-ID: <1972094846.20010421165620@morning.ru> To: freebsd-security@FreeBSD.ORG Subject: Re[2]: static arp values X-Sender: Igor Podlesny MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org PT> On Fri, 20 Apr 2001, Joseph Gleason wrote: >> When you do arp -a, is the static entry you set marked as permanent? PT> yes it is >> >> Did you simulate anouther box taking that IP and look at the arp table >> afterward? >> PT> Yes I did. And the arp is infact what it is suppose to be. So it appear PT> static. (when i did the same thing on w2k, arp -s, the mac adress PT> changed). PT> But I can still sniff the connection between the machine with the static PT> arp value and the router. That is what I find strange. hm. it seems you need to know how ETHERNET networks work. No matter does a box know MAC.addr of other box or it asks network for it. At last, they will talk to each other over SHARED media which ETHERNET certainly is. You may use `Switches' to avoid such situation, some of them can be even configured to bind their ports to respective MAC addrs, but some cards can be MAC changeable, as "Joseph Gleason" mentioned before... In short, all these gotchas are drawbacks of Ethernet technology. If you use it the only way to be 99% protected is using of VPN technology over it. good luck! PT> I simulate the man-in-the-middle attack with ettercap by the way. >> Also, you should be aware that some cards allow you to change the MAC >> address of the card. (At least I think so...never tried it) So an evil >> machine could steal the MAC address and fool the switch into sending it your >> traffic. >> >> Depending on how advanced your switch is and if it is managable, you can >> hardcode what MAC address is on what port...avoid this one as well. >> >> ----- Original Message ----- >> From: "Pär Thoren" >> To: >> Sent: Friday, April 20, 2001 13:13 >> Subject: static arp values >> >> >> > Hi! >> > >> > >> > Is it possible to make a arptable entry static? For example the arp adress >> > of my gateway. So that man-in-the-middle attack can be prevented. >> > >> > >> > I´ve tried "arp -S ip-adres mac-adres" but it seems that it is still >> > possible to infect the arptable with a false mac adress of the gateway and >> > sniff the connection. >> > >> > >> > /Pär >> > >> > >> > >> > To Unsubscribe: send mail to majordomo@FreeBSD.org >> > with "unsubscribe freebsd-security" in the body of the message >> > >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> PT> To Unsubscribe: send mail to majordomo@FreeBSD.org PT> with "unsubscribe freebsd-security" in the body of the message -- Igor mailto:poige@morning.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message